Problem/Motivation
Currently Drupal has no unified API that allows safe user impersonation in code. This functionality is often needed by core and contrib and each module implements it in different ways some of them not secure. This may be considered a security improvement since:
- It can help people avoid unsafe impersonation constructs as outlined in Safely Impersonating Another User.
- It makes it possible to nest multiple impersonation levels without having the innermost impersonation logic incorrectly re-enable session saving when finished (see http://drupal.org/comment/reply/287292#comment-2873752)
Proposed resolution
Implement AccountProxy::impersonateAccount() and AccountProxy::revertAccount()
Streamline the use of account "impersonations" throughout core (mostly in tests). Best would be to stick to one approach.
Remaining tasks
Commit.
User interface changes
None
API changes
API addition: two new methods for safely impersonating an account.
Original report by @drewish
I'm trying to write tests for file.inc and several of the validation functions need to switch to a uid=1 and non-uid=1 users. I know about DrupalWebTestCase::drupalLogin() but it affects the web browser's user not the global $user;. chx pointed me toward [#218104] which provided the method for doing this in tests:
<?php
/**
* Test the file_validate_extensions() function for the root user.
*/
function testFileValidateExtensionsUid1() {
global $user;
$original_user = $user;
session_save_session(FALSE);
$user = user_load(array('uid'=> 1));
// Run these test as user 1
$file = new stdClass();
$file->filename = 'asdf.txt';
$errors = file_validate_extensions($file, 'asdf txt pork');
$this->assertEqual(count($errors), 0, t("Valid extension accepted."));
$file->filename = 'asdf.txt';
$errors = file_validate_extensions($file, 'exe png');
$this->assertEqual(count($errors), 0, t("Invalid extension also accepted -- they're uid 1."));
$user = $original_user;
session_save_session(TRUE);
}
/**
* Test the file_validate_extensions() function for the root user.
*/
function testFileValidateExtensionsUidNot1() {
global $user;
$original_user = $user;
session_save_session(FALSE);
$user = $this->drupalCreateUser();
// Run these test as a regular user
$file = new stdClass();
$file->filename = 'asdf.txt';
$errors = file_validate_extensions($file, 'asdf txt pork');
$this->assertEqual(count($errors), 0, t("Valid extension accepted."));
$file->filename = 'asdf.txt';
$errors = file_validate_extensions($file, 'exe png');
$this->assertEqual(count($errors), 1, t("Invalid extension blocked."));
$user = $original_user;
session_save_session(TRUE);
}
?>It's just enough code to be a pain and clutter up the tests. It seems like it be better to have
DrupalWebTestCase::drupalSetUser() and ::drupalRestoreUser() or something like that to make this a little saner.